feat: add e2e testing (#78)

* feat: add e2e testing

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat: add e2e testing

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: add custom base image

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* chore: add custom base image

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

Author: oliverbaehler

.github/configs/lintconf.yaml

@@ -5,6 +5,7 @@ ignore:
   - charts/**/templates/
   - docs/**
   - hack/**
+  - e2e/testdata/**
 rules:
   truthy:
     level: warning

.github/workflows/docker-build.yml

@@ -24,6 +24,11 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       - name: ko build
         run: VERSION=${{ github.sha }} make ko-build-all
       - name: Trivy Scan Image

.github/workflows/docker-publish.yml

@@ -27,6 +27,13 @@ jobs:
           echo "version=$VERSION" >> $GITHUB_OUTPUT
       - name: Install Cosign
         uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
       - name: Publish with KO
         id: publish
         uses: peak-scale/github-actions/make-ko-publish@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0

.github/workflows/e2e.yaml

@@ -23,11 +23,6 @@ concurrency:
 jobs:
   kind:
     name: Kubernetes
-    strategy:
-      fail-fast: false
-      matrix:
-        k8s-version:
-        - "v1.31.0"
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -40,4 +35,4 @@ jobs:
         with:
           version: v3.14.2
       - name: e2e testing
-        run: KIND_K8S_VERSION="${{ matrix.k8s-version }}" make e2e
+        run: make e2e

.gitignore

@@ -14,6 +14,7 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 config
+.DS_Store
 
 # Dependency directories (remove the comment below to include it)
 # vendor/

Dockerfile.base

@@ -0,0 +1,8 @@
+FROM docker.io/library/alpine:3.21
+
+RUN apk --no-cache add ca-certificates  gnupg \
+  && update-ca-certificates
+
+USER 65534:65534
+
+ENV GNUPGHOME=/tmp

Makefile

@@ -18,7 +18,7 @@ IMG             ?= $(IMG_BASE):$(VERSION)
 FULL_IMG          ?= $(REGISTRY)/$(IMG_BASE)
 
 ## Kubernetes Version Support
-KUBERNETES_SUPPORTED_VERSION ?= "v1.33.0"
+KUBERNETES_SUPPORTED_VERSION ?= v1.32.0
 
 ## Tool Binaries
 KUBECTL ?= kubectl
@@ -127,6 +127,11 @@ ifdef VERSION
 KO_TAGS         := $(KO_TAGS),$(VERSION)
 endif
 
+BASE_DOCKERFILE ?= Dockerfile.base
+BASE_IMAGE_TAG ?= ko.local/peak-scale/sops-operator:base
+BASE_BUILD_ARGS ?= --load
+KO_DEFAULTBASEIMAGE := $(BASE_IMAGE_TAG)
+
 LD_FLAGS        := "-X main.Version=$(VERSION) \
 					-X main.GitCommit=$(GIT_HEAD_COMMIT) \
 					-X main.GitTag=$(VERSION) \
@@ -137,14 +142,21 @@ LD_FLAGS        := "-X main.Version=$(VERSION) \
 # Docker Image Build
 # ------------------
 
+.PHONY: build-base-image
+build-base-image: ## Build base image using Docker Buildx
+	@docker buildx build ${BASE_BUILD_ARGS} \
+		--platform=$(KO_PLATFORM) \
+		--tag ${BASE_IMAGE_TAG} \
+		--file $(BASE_DOCKERFILE) .
+
 .PHONY: ko-build-controller
-ko-build-controller: ko
+ko-build-controller: ko build-base-image
 	@echo Building Controller $(FULL_IMG) - $(KO_TAGS) >&2
-	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(FULL_IMG) \
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(FULL_IMG) KO_DEFAULTBASEIMAGE=$(BASE_IMAGE_TAG) \
 		$(KO) build ./cmd/ --bare --tags=$(KO_TAGS) --push=false --local --platform=$(KO_PLATFORM)
 
 .PHONY: ko-build-all
-ko-build-all: ko-build-controller
+ko-build-all:  ko-build-controller
 
 # Docker Image Publish
 # ------------------
@@ -199,7 +211,7 @@ CLUSTER_NAME ?= "sops-operator"
 e2e: e2e-build e2e-exec e2e-destroy
 
 e2e-build: kind
-	$(KIND) create cluster --wait=60s --name $(CLUSTER_NAME) --image=kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
+	$(KIND) create cluster --wait=60s --config e2e/kind.yaml --name $(CLUSTER_NAME) --image=kindest/node:$(KUBERNETES_SUPPORTED_VERSION)
 	$(MAKE) e2e-install
 
 e2e-exec: ginkgo
@@ -208,7 +220,7 @@ e2e-exec: ginkgo
 e2e-destroy: kind
 	$(KIND) delete cluster --name $(CLUSTER_NAME)
 
-e2e-install: e2e-load-image e2e-install-addon-helm
+e2e-install: e2e-load-image e2e-install-addon-helm e2e-install-distro
 
 e2e-install-addon-helm:
 	helm upgrade \
@@ -224,6 +236,11 @@ e2e-install-addon-helm:
 		sops-operator \
 		./charts/sops-operator
 
+e2e-install-distro:
+	@$(KUBECTL) kustomize e2e/manifests/flux/ | kubectl apply -f -
+	@$(KUBECTL) kustomize e2e/manifests/distro/ | kubectl apply -f -
+	@$(MAKE) wait-for-helmreleases
+
 .PHONY: e2e-load-image
 e2e-load-image: ko-build-all
 	kind load docker-image --name $(CLUSTER_NAME) $(FULL_IMG):$(VERSION)
@@ -313,6 +330,14 @@ ko:
 	@test -s $(KO) && $(KO) -h | grep -q $(KO_VERSION) || \
 	$(call go-install-tool,$(KO),github.com/$(KO_LOOKUP)@$(KO_VERSION))
 
+BUILDAH           := $(LOCALBIN)/buildah
+BUILDAH_VERSION   := v1.40.0
+BUILDAH_LOOKUP    := containers/buildah
+buildah:
+	@test -s $(BUILDAH) && $(BUILDAH) -h | grep -q $(BUILDAH_VERSION) || \
+	$(call go-install-tool,$(BUILDAH),github.com/$(BUILDAH_LOOKUP)/cmd/buildah@$(BUILDAH_VERSION))
+
+
 GOLANGCI_LINT          := $(LOCALBIN)/golangci-lint
 GOLANGCI_LINT_VERSION  := v2.1.5
 GOLANGCI_LINT_LOOKUP   := golangci/golangci-lint
@@ -328,6 +353,20 @@ apidocs-gen: ## Download crdoc locally if necessary.
 	@test -s $(APIDOCS_GEN) && $(APIDOCS_GEN) --version | grep -q $(APIDOCS_GEN_VERSION) || \
 	$(call go-install-tool,$(APIDOCS_GEN),fybrik.io/crdoc@$(APIDOCS_GEN_VERSION))
 
+AGE_KEYGEN    := $(LOCALBIN)/age-keygen
+AGE           := $(LOCALBIN)/age
+AGE_VERSION   := v1.2.1
+AGE_LOOKUP    := FiloSottile/age
+age:
+	@$(call go-install-tool,$(AGE_KEYGEN),filippo.io/age/cmd/age-keygen@$(AGE_VERSION))
+	@$(call go-install-tool,$(AGE),filippo.io/age/cmd/age@$(AGE_VERSION))
+
+SOPS          := $(LOCALBIN)/sops
+SOPS_VERSION  := v3.10.2
+SOPS_LOOKUP   := getsops/sops
+sops:
+	@$(call go-install-tool,$(SOPS),github.com/$(SOPS_LOOKUP)/v3/cmd/sops@$(SOPS_VERSION))
+
 # go-install-tool will 'go install' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-install-tool

README.md

@@ -11,15 +11,25 @@
 </a>
 </p>
 
-> This project is currently in public beta and under active development. Please report any issues you encounter.
+> [!IMPORTANT]
+> Regarding the code, most of the SOPS implementation was taken from the [Flux kustomize-constroller](https://github.com/fluxcd/kustomize-controller/blob/main/internal/decryptor/decryptor.go) project. We have left the License-Header as-is, if further attribution is wished, please open an issue. We go the idea from the existing [sops-operator](https://github.com/isindir/sops-secrets-operator). However the implementation was not optimal for our use-cases, that's why we decided to release our own solution.
 
 # SOPS-Operator ❤️
 
 ![SOPS](https://avatars.githubusercontent.com/u/129185620?s=48&v=4)
 
-We have always loved how [Flux handles Secrets with SOPS](https://fluxcd.io/flux/guides/mozilla-sops/), it's such a seamless experience. However we have noticed, that it's kind of hard to actually distribute keys to users in a kubernetes native way. That's why we built this operator. It introduces [Providers](docs/usage.md#providers), which essentially match Kubernetes resources which represent Keys or access to KMS stores. On the Provides you also declare, which [Secrets](docs/usage.md#secrets) you want to encrypt with that provider. **Currently only works with PGP and AGE for n-secrets** That leaves open that, N-providers can load private keys for one Secret, in complex scenarios.
+We have always loved how [Flux handles Secrets with SOPS](https://fluxcd.io/flux/guides/mozilla-sops/), it's such a seamless experience. However we have noticed, that it's kind of hard to actually distribute keys to users in a kubernetes native way. That's why we built this operator. It introduces [Providers](docs/usage.md#providers), which essentially match Kubernetes resources which represent Keys or access to KMS stores. On the Provides you also declare, which [Secrets](docs/usage.md#secrets) you want to encrypt with that provider. **Currently only works with PGP and AGE for n-secrets** That leaves open that, N-providers can load private keys for one Secret, in complex scenarios. Also we want to provide a general solution to decrypting secrets, not a solution which is dependent on a gitops engine.
+
+
+## Concept
+
+This Operators introduces the concept of [SopsProviders](./docs/usage.md#providers). `SopsProviders` are created by Cluster-Administrators and are essentially a connecting-piece for collecting private-keys and [`SopsSecrets`](./docs/usage.md#sopssecrets), which can use these keys for decryption.
+
+With this option an Kubernetes users may manage their own keys and [`SopsSecrets`](./docs/usage.md#sopssecrets). The implementation of `SopsSecrets` allows them to be applied to the Kubernetes API with sops encryption-meta. The entire decryption happens within the cluster. So a `SopsSecret` is applied the way it's stored eg. in git.
+
+
+![Sops Operator](./docs/assets/sops-operator.gif)
 
-> Regarding the code, most of the SOPS implementation was taken from the [Flux kustomize-constroller](https://github.com/fluxcd/kustomize-controller/blob/main/internal/decryptor/decryptor.go) project. We have left the License-Header as-is, if further attribution is wished, please open an issue. We go the idea from the existing [sops-operator](https://github.com/isindir/sops-secrets-operator). However the implementation was not optimal for our use-cases, that's why we decided to release our own solution.
 
 ## Documentation
 

api/v1alpha1/sopsprovider_status.go

@@ -36,6 +36,12 @@ func (ms *SopsProviderStatus) GetInstance(stat *SopsProviderItemStatus) *SopsPro
 func (ms *SopsProviderStatus) UpdateInstance(stat *SopsProviderItemStatus) {
 	for i, source := range ms.Providers {
 		if ms.instancequal(source, stat) {
+			if source.Type == stat.Type &&
+				source.Status == stat.Status &&
+				source.Reason == stat.Reason && source.Message == stat.Message {
+				return
+			}
+
 			ms.Providers[i] = stat
 
 			return

charts/sops-operator/crds/addons.projectcapsule.dev_sopsproviders.yaml

@@ -379,6 +379,9 @@ spec:
                     namespace:
                       description: namespace of Object
                       type: string
+                    uid:
+                      description: namespace of Object
+                      type: string
                   required:
                   - name
                   type: object